==========
Deployment
==========

Infrastructure Overview
=======================

The reference deployment runs on AWS in the ``af-south-1`` (Cape Town) region,
fronted by Cloudflare for global CDN, DNS, DDoS protection, and SSL/TLS. The
complete infrastructure topology is shown below.

.. mermaid:: _diagrams/deployment.mmd
   :caption: Figure 7. Deployment diagram — full infrastructure architecture.

Layers
======

.. list-table::
   :header-rows: 1
   :widths: 25 75

   * - Layer
     - Responsibilities
   * - Edge (Cloudflare)
     - Global CDN, static caching, DDoS protection, SSL/TLS, DNS, failover
   * - Frontend
     - CloudFront CDN + S3 (Next.js build, React Native web assets)
   * - Load balancing
     - Application Load Balancer (HTTPS termination, health checks,
       auto-scaling triggers)
   * - Application
     - FastAPI AI engine, web frontend, and partners portal (containerized)
   * - AI services
     - Ollama embeddings, Qdrant vector DB, Gemini via OpenRouter
   * - Data
     - PostgreSQL (managed), Qdrant storage volumes

Clients reach the platform over the public Internet (web, mobile, and — per the
reference design — WhatsApp / USSD channels), while partner sites are integrated
for opportunity sourcing and external application redirection.

Containers
==========

The AI engine, web frontend, and partners portal each ship a ``Dockerfile``.
Build and run them as part of a container orchestration setup (for example ECS,
Kubernetes, or Docker Compose):

.. code-block:: bash

   docker build -t oim/ai-engine ./oim-ai-recommandation-engine-staging
   docker build -t oim/frontend  ./oim-frontend-staging
   docker build -t oim/partners  ./oim-partners-front-staging

Qdrant runs from the official ``qdrant/qdrant`` image with a persistent storage
volume; Ollama runs the ``bge-m3`` model; PostgreSQL is provisioned as a managed
or self-hosted instance.

Mobile Builds
=============

The mobile application is built and distributed with **EAS** (Expo Application
Services). Build profiles are defined in ``eas.json``; configure signing and
distribution channels there before producing Android / iOS binaries.

Self-Hosted (ST Digital, Cameroon)
==================================

For data-residency requirements, the Security and Privacy Plan documents a
self-hosted deployment on **ST Digital** infrastructure in Cameroon. This
involves translating the AWS reference services to their self-hosted equivalents
and applying the environment-specific security controls described in
:doc:`security`.